Is This The Girl That Hacked HBGary?(blogs.forbes.com) |
Is This The Girl That Hacked HBGary?(blogs.forbes.com) |
This girl might not exist; but because we all really really want a 16 year old girl to be the hacker the discrepancies are glossed over (the art of a good lie is not giving too much detail and letting other people's imagination fill the gaps).
On the other hand the personality strikes me strongly as female, so if it is an facade it is a very well constructed one, which the imposter empathises with.
But, on the whole, the setup "feels" wrong (and I tend to trust my instincts in such matters).
I could on average phish about an account a minute and I was never figured out. I only fell out of character once to warn an 18 year old kid, that talking to 14 year old girls sexually online wasn't the best use of his time. He freaked out and thought I was a cop!
It's relatively trivial to do this, most people will ignore minor slip ups provided you have the right context. I would set context by doing the following:
1. I would set my profile to the geolocation of the room I intended to work. I would then find a school and neighborhood to say I was from.
2. I would suggest I was home sick (and thus alone).
3. I would use an innocent, although, sexual name in my username like "booty"
4. I would use emoticons and "hehe" on probably 75% of all messages sent.
5. I would let them contact me first. If you contact them they get scared. If they contact you, they feel like they are in control.
For example, I could tell them the wrong name and many wouldn't notice, or if they did simply saying, "Oh, that's my middle name" is usually sufficient.
With all that said, anyone know of a way I could use my experiences and ability at social engineering online in a legit manner?
See if Chris Hansen is hiring?
That last bit makes absolutely no sense. It's easier to learn SQL injection than the many, many different ways that memory management can go wrong. References to her memorising Windows Opcodes sound like a random phrase thrown in for credibility (you do after a while remember certain functions - 11 years after writing my first ARM shellcode I still remember it, even though I'll probably never use it).
The whole description of how she progressed just doesn't sound right. You can be up and running with SQL injection in less than an hour, learning buffer overflows and understanding them properly probably takes about a day and a bit at best (and that's assuming that you know C, how to use a debugger and how a compiler works). The Micro-SD strategy also seems a little extreme (but is viable, our testing gets done under a VM, there's no reason why that couldn't go on a micro SD card).
I'm calling BS on Kayla being a girl, mainly because the story just doesn't fit right compared to the application of Occam's Razor - that this is someone else trying to cover their tracks.
I remember I started learning in C, reading security and working on perl all the same time. I didn't even know about SQL for a couple years after that. This was in the late 90's and early 00's tho, things were a bit different, but it isn't improbable nor impractical to have this learning curve in a semi-self taught way. It is even less improbably given that her dad probably taught what he knew best, C and Kernel stuff.
When I was a kid, my grandfather was an electrician. I grew up learning about house wiring, and how to do it properly and quickly. I learned how to solder and do stuff with wires long before I ever did basic electronic theory stuff. It never occurred to me that 120VAC was any more dangerous than a small fire. Imagine my surprise when in college I first encountered these professors who were terrified of wall current ('of course it will hurt you, just don't be stupid' is still how i think of both fire and electricity, the stuff isn't magic). I was confused when we went over stupid "this is how a dpdt switch works" and annoyed that we never played with any circuits more advanced than I grew up doing for over a year. I had never had any basic electronic theory at that point.
So: do you disbelieve me because I didn't learn in some natural progression as an electrician apprentice would? Because I didn't learn in the order the courses laid out in college?
tl; dr -- the idea of a "natural progression" in learning is just bunk.
It is an awesome story, though. Regardless of whether it's true or not, it's effective at both rallying the neckbeards and shaming opponents. It's funny to see how much deference is paid to her on IRC, although I only started going there after news of the HBGary incident broke, so she already had quite a lot of cred.
`k may or may not be a 16 year old girl, but it's a hell of a troll if she isn't. I'm not aware of many anons who could pull something like that off for so long. There were a few back in the day who had managed to become trusted enough at anontalk to get promoted to wiseguys, but that took a couple months, not a couple years. For that reason, as well as her general demeanor, I'm inclined to believe her.
But then of course the smartest ones are the people no one will ever hear about, so who knows.
Basically, everyone is excited because she's a girl.
"Meanwhile she refuses to be chained to her computer, limiting herself to a few hours a night online. She rarely visits online forums "they’re boring"and a few days a week takes a course in college to further her goal of being a teacher. She lives in an English-speaking country not the U.K.but won’t say more about it"
So the previous paragraph stated she was "memorizing Windows Opcodes and scouring source code for exploitable bugs", but then suddenly she only spends a few hours online? Not likely. Most hardcore hackers I know don't just drop off the radar. The hunt to break into systems is like a drug. I have yet to read about, or know any hacker who simply spends a few hours online a day. At the speed internet security moves, this person's knowledge would be useless inside of 6 months.
Also, how does this person maintain her expert hacker knowledge with a few cursory hours a day on the internet? Literally impossible. Add in the admission she deletes all her emails and wipes all her drives clean? Really? Does this person memorize every line of code she uses then?
My conclusion? A carefully crafted profile of an Anon personality. Although I have no doubt this person probably exists, it certainly is not a 16 year old girl, and a majority of the information in the article is total BS. When you apply some very basic logic, the story just falls apart.
I've always known C was just a gateway to the dangerous stuff.
And people call me paranoid. :)
Look at Mafiaboy back in 2000 -- he took down Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. I'm not even sure that he was 16 yet (I don't have his age offhand).
Is this a crazy and possibly fake story? Of course. Does that mean that it can't be true? Not by a long shot.
I work in information security, and at 16 knew a hell of a lot about SQL injection, buffer overflows, cross site scripting and oodles of other vulnerability classes. This girl didn't work alone, but part of a hacker group -- to me, it seems totally feasible.
I'm not saying that we should take every word an anonymous "16 year old girl" says on the Internet as absolute fact, but discounting this attack because it seems like a girl couldn't pull it off seems sexist and wrong. Again, if this were some pimply-faced male high schooler, no one would bat an eye.
I doubt that the character is really a 16-year-old girl because she's telling Forbes she's a 16-year-old girl.
If 'k said he were a 16-year-old boy, I'd doubt he were a 16-year-old boy.
If 'k said she were a 33-year-old quant on Wall St., I'd doubt she were a 33-year-old quant. Etc.
I just seriously doubt that this character is giving any real identifiable information to Forbes.
From http://www.hackerfactor.com/GenderGuesser.php
Genre: Informal Female = 171 Male = 182 Difference = 11; 51.55% Verdict: Weak MALE
Weak emphasis could indicate European.
From http://bookblog.net/gender/analysis.php
Female Score: 94 Male Score: 133
The Gender Genie thinks the author of this passage is: male!
Grepped this, which ars technica claims is a real chat log. She says just under 200 words on this log, and it comes up as weak male again on Gender Guesser and male on Gender Genie. Her username of `k is removed for the analysis. http://pastebin.com/x69Akp5L
Here's the article where Ars Technica links to that pastebin http://arstechnica.com/tech-policy/news/2011/02/how-one-secu...
Genre: Formal Female = 509 Male = 971 Difference = 462; 65.6% Verdict: MALE
Computing represents a pretty specialized topic, and most of the sample data with computing-related discussion will be from men. It would be pretty tough for any simple Bayesian analysis to account for this.
Kayla first asks for root password using two passwords that she already has but might not necessarily be the root one. She also already knows that remote root isn't allowed. This way:
1) She'd get the root password e-mailed to her if it wasn't one of those two. "No, it's not those, it's '<password>'."
2) She sets up her point of entry.
Great stuff.
obvious troll is obvious
Maybe instead of asking questions about her here, you ask her like i did?
kayla@anonleaks.ch
If she really is who she said she is that's one smart kid!
http://www.guardian.co.uk/technology/2011/mar/17/us-spy-oper...
FML, I have a CS degree and still can't program ASM.
I don't remember any such exploit. You could produce that image by posting a lot.
Your complaint does not represent majority usage in English, let alone modern usage.
http://ngrams.googlelabs.com/graph?content=girl+that,girl+wh...
Middle school English teachers love to invent simple rules of the language that don't reflect actual usage very well. The choice between "that" and "who" as relativisers is subtle, and the animacy constraint doesn't explain the facts of how people speak.
1) usage is disputed at a level beyond middle school English.
2) "that" is often preferred for restrictive clauses.
Oh the horror.
1. Using same computer that connects via phone, wireless, etc and than using any email service. 2. Machine characteristics since they cannot get the machine ID they go for the next best digital finger print ..ie operator grammar/typos..cpu speed, ram size, etc. 3. Websites have visitor logs..the track back to you eventually gets fleshed out.
I think the Forbes article writer got played..
I agree that the persona is bullshit and that 'she' is a probably a mid-to-late 20s male but...
Where does it say that she/he deletes wipes all her drives clean? It only says that (s)he wipes her web accounts. From reading the article, (s)he keeps her personal files/documents on a MicroSD card; quite a smart and disposable solution really.
Perhaps the personal files are encrypted also? It's interesting to imagine what other steps you could take to protect your privacy, it probably wouldn't be too difficult to do alternating sharding at the bits and bytes level over SSH with off-site storage (Half on MicroSD, half off-site), does any tool do something similar currently? You could even put a self-destruct timer on the offsite storage (if last_login > 5 days ago: format hard drive with 40-pass erase) or maybe a kill-switch containing sensitive informatoin (ala Wikileaks).
Some of the other discrepancies, though, look more suspicious. The very notion that a security-conscious person who has just committed a federal crime would spill so much about his/her life in a random newspaper article reeks of BS.
If that is true, online account operators, email providers could link this type of behavior to one of their members quite quickly.
For 5+ years, I've been downloading my email with fetchmail, which deletes the message on the server. Once a minute. I don't like the thought of my emails sitting in the cloud for too long.
And then I was thinking about how the police sometimes "leak" that the suspect in some crime is weak, pathetic, individual which nobody really cares about, in hopes that they will offend the real suspect who will then self identify in defense of their honor. If you thought the Anonymous ring leader on the HBGary hack was some teenage guy then the best way to provoke a response would be to either call him gay or a girl it seems.
I wonder how well the E-book Ars put out is selling. And more importantly, if its really successful I wonder if these people who did this are comfortable with someone getting rich off their exploits?
You see? The twisted depths to which you go if you start down these paths. Sheesh.
I've used FDE for many years simply out of precaution against theft.
(Using a gender guesser is genius though)
still don't think that is what the article was referring to since it was 'windows opcodes'
http://www.urbandictionary.com/define.php?term=kids+are+the+...
I'm pretty sure the phrase even predates 4chan though... Mostly likely originates from USENET or IRC.
I paraphrased though, and the grandparent post must have a better memory (or better Google skills) than me, which is probably why you can't find an exact match...
Example from 2001: http://www.bash.org/?2832
Pretty sure the line goes back further than that though.
My guess is that it’s a parody of A Prairie Home Companion’s line about “Lake Wobegone, where all the women are strong, all the men are good looking, and all the children are above average.” Though that might itself be playing on some earlier such line?
I've studied oral-formulaic poetry, and one of the interesting aspects of it is that everyone tells the same stories over and over, and what makes one retelling superior is not the actual content, but the way it's delivered. I may well have seen it before. But long line lengths and easy Verdana text make HN good for memorable one-liners, and your retelling had punctuation, capitalization, and pithiness.
Except that the "you just got hacked by a 16-year old girl" taunt was apparently started in Anonymous circles soon sfter the attack. Not to say any of this is true or not fabricated, just that its not likely being fabricated from outside for those kinds of reasons.
Which is presumably itself a parody, I'd guess of some standard line from a Western. But I couldn't pin it down to exactly where.
To me it was a big experiment to maximize conversion and minimize detectability.
The biggest take away from this is that I realized that social interactions have formulas and you can take advantage of those formulas. You can also find shortcuts to the formula or make certain parts of the formula more important or less important based on context.
This is a text book usage of social engineer. Putting in divorced parents, single child getting all the attention from the engineer dad making the kid an above average amongst his/her peers, and then putting in a girl, so to make you focus less on the flaws in the story and drool over the hot-geek image more... evergreen combination.
I would doubt though that Forbes came up with this on their own. Rather, it could very much be someone from anon, just having little more fun.
I would expect that the journalist as a filter makes this even more likely. The journalist would then ignore irregularities or dull them in the story presenting the most consistent pieces in the story, not the least.
I would say one advantage that I had, is I could test responses, over and over again. But that is always what allowed me to basically have a formula that would result in 95%+ conversion on the phishing attacks. The other 5% often times where do gooders trying to tell me not to be in chat rooms or to warn me about pedos.
I particularly liked your comment about finding formulas for social interactions. Have you tried looking for work at a social startup? From what I have heard of Facebook's culture, you would fit right in.
I think the link is just http://en.wikipedia.org/wiki/transactional_analysis if that's wrong I apologize, I'm typing this from my phone
I don't even think plausible deniability would hold in court -- claiming that a large blob of random data on your hard drive is just there for no reason at all is not plausible.
What I don't understand is that in a context of a court (and this group of competent professionals), password disclosure _should_ be considered self-incrimination (although there was at least one case in the UK where a judge came up with some loophole reasoning around that). Disclosure of multiple passwords ("we didn't like what we found, do you have any other passwords?") would certainly be obtained under great duress.
To make sure that you can't distinguish free space from encrypted noise, you have to write random noise everywhere as part of the filesystem creation process.
The one thing Truecrypt is vulnerable to is that you can note what parts changed -- say they raid your house twice and image it between when you used it. Then they'll know that free space isn't really free.
Assange has your back.
That said -- I would think that a random blob of data sitting around on the hard drive is still highly suspect. Aren't hard drives zeroed from the factory? And wouldn't any true "garbage" data be decidedly not random? (Even if it's compressed... you would still expect to find headers etc. somewhere.)
Take a look at http://www.truecrypt.org/docs/ - it is an interesting read.
When the police demand the key from you, you give them the one that unlocks the clean partition. Now, at this point it doesn't matter if they don't believe you, it doesn't matter if they know all about truecrypt and hidden partitions, there is no way for them to prove in a court of law or otherwise that there is a hidden partition there. You can just keep telling them "I gave you the password! I just wipe my free space with noise every night! It's just noise!" and you have plausible deniability.
As far as I'm aware this is only in theory. I'm not aware of any case of this actually being tested in court. But mathematically, it is apparently sound.
http://www.schneier.com/blog/archives/2009/10/evil_maid_atta...